What Can We Learn from eClinicalWorks’ Big Mistake?

Electronic health record (EHR) vendor eClinicalWorks (eCW) and several of its executives are on the hook for $155 million to resolve a False Claims Act lawsuit alleging that the company misrepresented the capabilities of its software. The U.S. Department of Justice announced the settlement on May 31.

Resolution of the case also required eCW to enter into a Corporate Integrity Agreement (CIA) with the Office of the Inspector General at the U.S. Department of Health and Human Services (HHS-OIG), which oversees “meaningful use” incentive payments to healthcare providers relating to their adoption and implementation of certified EHR technology.

According to the government, eCW concealed that its software was “hardcoded” to meet certification requirements for standardized drug codes instead of actually retrieving the proper drug codes from a complete database. Other cited faults in eCW’s software included:

  • not having an audit log for accurate recording of user actions;
  • not reliably recording diagnostic imaging orders;
  • not reliably performing drug interaction checks; and
  • failing to satisfy data portability requirements for transferring patient data from eCW’s system to other vendors’ software.

All told, because of the deficiencies, “eCW caused the submission of false claims for federal incentive payments based on the use of eCW’s software,” HHS-OIG charged. $125 million of the company’s fines will go to repay Medicare and Medicaid for incentive disbursements under their respective meaningful use programs. (eCW customers who successfully attested to meaningful use in good faith will not be linked in on the government repayments.)

Aside from the financial penalties, eCW’s CIA, which extends for five years, requires the company to retain an independent oversight organization to assess its software quality control systems, with semi-annual written reports to be filed with HHS-OIG. The CIA also mandates that eCW allow its customers to obtain free software updates; customers also have the option of transferring their data to another EHR vendor without penalties or service charges.

Industry fallout

eCW agreed to the settlement without acknowledging any wrongdoing. The company said it did so to avoid lengthy and costly litigation. eCW’s EHR system remains certified under the meaningful use program. Nonetheless, the underlying facts of the case appear to have cast a broad shadow across the health IT landscape.

A report compiled by market research firm Reaction Data after announcement of the settlement found 71 percent of respondents saying they would be extremely unlikely to consider eCW in the future. What’s more, 27 percent indicated that the case had lowered confidence in their current EHR vendor, and 35 percent reported being “significantly more suspicious” of other EHR vendors.

Healthcare attorney Bob Ramsey told Healthcare Informatics that the eCW allegations may be an extreme case, but added, “Interoperability and data portability is viewed as necessary in the health world, but it’s easier said than done.”

Peter DeVault, vice president of interoperability at EHR vendor Epic, recently noted that healthcare providers would be well served to rely less on EHR certifications moving forward and to concentrate more heavily on demonstrated benefits.

NetDirector’s vendor-neutral approach to data exchange elevates providers’ ability to achieve EHR interoperability while working toward meaningful use incentives. In an environment currently clouded by skepticism, the HealthData Exchange platform automates integrations in a manner that exceeds industry standards.

NetDirector CEO Harry Beisswenger puts the technology in perspective: “It’s important for us to aid healthcare providers and vendors in reaching meaningful use benchmarks because we know that ultimately impacts the level of patient care.”

For more information, please contact us or request a free demo.

Additional Events for a Variety of Servicers

What’s Happening in Healthcare Regulation and Compliance

Healthcare-Regulations-and-Compliance-Spring-2016Technology’s crossover into most aspects of healthcare brings new possibilities in prevention, treatment and continuous care. But sometimes, too, it raises unique issues that need to be addressed by regulatory or legislative oversight.

Recent headlines from opposite ends of the U.S. highlight new laws at the state level — but with implications that could soon apply more broadly.

The rise of ransomware

Ransomware attacks, in which hackers disable computer systems and demand payment before allowing victims to regain access, would be prosecuted as cyber-extortion under a bill advancing in California’s legislature.

The bill heads to the state Senate’s appropriations committee with strong support. It follows a high-profile case that ended in February with Hollywood Presbyterian Medical Center paying a $17,000 ransom in bitcoin to a hacker who had shut down the 434-bed hospital’s systems.

“The malware locks systems by encrypting files and demanding ransom to obtain the encryption key,” Hollywood Presbyterian CEO Allen Stefanek told the Los Angeles Times. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

The office of California State Senator Bob Hertzberg cited FBI statistics stating that hackers collected more than $209 million in ransomware payments in the Untied States during the first quarter of 2016.

Shortly after the Hollywood incident, computers at the Los Angeles County Department of Health Services were infected with a data-blocking program, the Times reported. In that instance, the agency refused to pay ransom and isolated infected devices on its own.

In a separate case in late March, MedStar Health, which operates 10 hospitals in the Washington, D.C. area, acknowledged on Facebook that a virus prevented certain users from accessing email and electronic patient records. MedStar opted to take down all system interfaces to prevent the virus from spreading and reported there was no evidence that information had been compromised. However, the health system had to utilize paper transactions where necessary.

Another malware attack last month at Methodist Hospital in Henderson, Kentucky, locked users out of electronic web-based services. A spokesperson said no patient data was impacted, but IT had to shut down all of the hospital’s desktop computers and scan each for infection before restoring operations. As in the MedStar case, the facility chose not to pay ransom but incurred time costs in resorting to paper-based back-up systems.

New York makes e-prescribing mandatory

Electronic prescribing for controlled and non-controlled substances became mandatory under New York state law on March 27. The e-prescribing edict, part of the state’s Internet System for Tracking Over Prescribing law, carries possible civil/criminal penalties or fines for non-compliance. The measure is intended to reduce prescription theft and forgery, as well as “doctor shopping” by patients.

Of particular note for electronic prescribing of controlled substance (EPCS), the law requires additional security features and registration of certified software with the Bureau of Narcotic Enforcement (BNE).

A year ago, the New York Department of Health sent a letter to prescribers cautioning that “implementation timelines for EPCS software vary and may be lengthy.” The agency strongly recommended immediate action in obtaining and registering certified EPCS software, which in many cases may be part of a commercial EHR system.

According to health information network Surescripts, more than two-thirds of active e-prescribers in New York are EPCS-enabled after a large surge earlier this year.

But even though providers may apply for a waiver from the EPCS requirements under specified circumstances (including technology limitations), physicians and organizations using systems from small EHR vendors may still be out of compliance. Achieving certification is “a bit of a heavy lift on the EHR side,” Surecripts Senior Vice President Ken Whittemore told Health Data Management.

Additionally, BNE approval requires completion of EHR updates, identity-proofing of prescribers, two-factor authentication for prescription signing, and establishment of secure access controls, noted Whittemore.

Keeping the focus on care

The delivery of healthcare shouldn’t be derailed by security threats from outside agents. Nor should it be burdened with technology implications stemming from otherwise well-meaning requirements.

At NetDirector, we stay current with issues that could affect compliance in these areas, so that providers can focus on delivering superior care. Our solutions implement high-level integrations that insulate organizations from cyber-hazards and enable core systems to function as intended — and, in some cases, as required by law or regulation.

For more information, please contact us or request a free demo.